Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1284
Views
10
Helpful
6
Replies

what is meaning of nat-traversal command

san_dec21
Level 1
Level 1

‎06-28-2007 12:30 AM

Can someone explain me what exactly meaning of nat-traversal command what it does in vpn topology?

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎06-28-2007 01:32 AM

Hi

If you have a NAT/PAT device between your vpn client and the vpn headend device this can stop the VPN tunnel working because the port numbers get changed.

In order to get around this you can use nat-traversal which needs to be supported on the client end and the headend device. The IPSEC traffic is encapsulated in UDP packets with port 4500. This allows the NAT to modify the packet without breaking the IPSEC tunnel.

HTH

Jon

0 Helpful

ggilbert
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎06-28-2007 03:26 AM

Adding to Jon's comment, the head end device should automatically detect the receiving connection is through a NAT device or not and then use port 4500 for the handshake.

Unless NAT-T is turned off and at that point, just use IPSec over UDP.

Hope this explains.

Cheers

Gilbert

pankajp
Level 1
Level 1
In response to ggilbert

‎06-28-2007 09:32 AM

Hi Jon, Gilbert,

I read that there is a security risk in implementing NAT-T. How true is that? Is there something that can be done to reduce the risk?

0 Helpful

ggilbert
Cisco Employee
Cisco Employee
In response to pankajp

‎06-28-2007 11:30 AM

Like what risk?

Where did you read it?

Give me the article where you read about it.

Thanks

Gilbert

pankaj.potdar
Level 1
Level 1
In response to ggilbert

‎06-28-2007 12:46 PM

http://www.ietf.org/rfc/rfc3947.txt

See 8. Security Considerations.

Further, I have read Microsoft articles...

support.microsoft.com/kb/885348

While I intend using my VPN Concentrator in the DMZ with my PIX Firewall, I wanted to be sure....

Preview file
4 KB
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to pankaj.potdar

‎06-28-2007 11:02 PM

Hi

There are different types of vulnerability

1) Theoretical vulnerabilites ie. in theory it could be done but no one has ever done it.

2) Vulnerabilities where the attacker would need so much access that if they had that access there would be much easier targets to go for.

3) Vulnerabilities which can be exploited without any special access etc.

Together with this you have to balance these vulnerabilities asgainst how likely your company is to be a target.

Reading through your attachment the one i would concentrate on is the use of a group wildcard and pre-shared keys. If you are not already doing it i would strongly recommend you don't use pre-shared keys soley for authentication and use some sort of token based authentication.

HTH

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents